Skip to content

deps: update openssl to quictls/openssl 3.0.0+quic

Rodrigo Muino Tomonari requested to merge github/fork/danbev/openssl-3.0-statically-linked into master

This pull request updates the OpenSSL version that is statically linked with Node.js from OpenSSl 1.1.1 to quictls OpenSSL 3.0.0+quic.

This pull request will replace the OpenSSL version that is currently in the deps directory and when performing a normal build OpenSSL 3.0+quic will be statically linked to the Node.js executable. We will still be able to dynamically link to OpenSSL 1.1.1 and we have a CI job which dynamically links to OpenSSL 1.1.1 which is run for every pull request to make sure that we maintain backward compatibility.

The question is when does the community think that we should make this switch to OpenSSL 3.0+quic?

Building

$ ./configure && make -j8 test
...
[03:59|% 100|+ 3363|-   0]: Done

Verify that OpenSSL is statically linked

$ ldd ./node
	linux-vdso.so.1 (0x00007ffff7fcf000)
	libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007ffff7f9d000)
	libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007ffff7da4000)
	libm.so.6 => /usr/lib64/libm.so.6 (0x00007ffff7c5e000)
	libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007ffff7c44000)
	libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007ffff7c22000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007ffff7a59000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd1000)
$ ./node -p 'process.versions.openssl'
3.0.0+quic

Building with FIPS support

$ ./configure --openssl-is-fips && make -j8 test
...
[04:06|% 100|+ 3384|-   0]: Done

The above command will build and install the FIPS module into the out directory. This includes building fips.so, running the installfips command that generates the FIPS configuration file (fipsmodule.cnf), copying and updating openssl.cnf to include the correct path to fipsmodule.cnf and finally uncomment the fips section.

We can then run node specifying --enable-fips:

$ ./node --enable-fips  -p 'crypto.getFips()'
1

The above will use the Node's default locations for OpenSSL 3.0:

$ ./out/Release/openssl-cli version -m -d
OPENSSLDIR: "/home/danielbevenius/work/nodejs/openssl/out/Release/obj.target/deps/openssl"
MODULESDIR: "/home/danielbevenius/work/nodejs/openssl/out/Release/obj.target/deps/openssl/lib/openssl-modules"

Hopefully having these defaults will enable for CI jobs to be configured without too much trouble, and also enable developers to configure FIPS for development/testing.

Merge request reports